Skip to main content

Facebook Open URL Redirection Vulnerability


About 2 week ago, I discovered an open url redirection vulnerability in Facebook that allowed me to have a facebook.com link redirect to any website without restrictions & users confirmation


Description:

[#] Title           :  Facebook Open URL Redirection 
[#] Status        :  fixed
[#] Severity     :  High
[#] Works on  :  Any browser with any version
[#] Homepage  : www.facebook.com
[#] Author       :  Jitendra Jaiswal ( India )


The flaw exists in the way facebook handled the u parameter. Visiting the link below would always redirect to the facebook homepage:
http://www.facebook.com/a.php?u=http%3A%2F%2Fjeet.com

But I noticed that changing the url to a another url , for example:
http://www.facebook.com/a.php?u=http%3A%2F%2Fyahoo.com

in that the target destination yahoo.com and it will redirect successfully:
http://www.facebook.com/a.php?u=http%3A%2F%2Fyahoo.com

Facebook have the ability to filter and ban particular websites from redirecting using their automatic spam and malware analysis. But not all malware/spam can be caught by Facebook, and by the time a link is banned, an attacker would have already moved on to another link.



Video Proof of Concept:




Facebook responded  after 12 days my report, and they were quick to patch the flaw in about a week and a half. The payout for this bug is $1,000.


Jitendra Jaiswal

Comments

Popular posts from this blog

Click-jacking or UI Redressing

Hi! Just want to share my finding, I have found Click-jacking or UI Redressing Vulnerability in   on Google Map , enjoy ;-) This bug was reported to Google Security Team, fixed immediately. About Title:  ClickJacking or UI Redressing on Google Map Business Risk: Normal Discovery Date: October 8, 2013 Author: Jitendra Jaiswal (me) Poc Details   Impact On victim :  1. attacker change victim profile pic by useing his webcam and upload 2. update status acording to attacker Best, Jeet Jaiswal

HC WeB : A Browser for HACKERS...

A Browser for HACKERS... Try for Free... Download HC WeB Setup Gallery: Online Penetration Testing Tools Index Information Gathering Whois DNS Location Info Enumeration and Fingerprint Data Mining Search Engines Editors Online Text Editors Share Text Snippets Network Utilities Ping HTTP HTTPS VNC Remote Desktop SSH DNS Sniffers Misc Forensics Frameworks URL Cloaking E-mail Password Cracking Encoders and Decoders Encoders Decoders Malwares Malware Analysis Identify Malicious Websites Suspected Malicious IPs and URLs Application Auditing SQL Injection Cross Site Scripting File Inclusion Anonymity Proxy Others Hackery Open Penetration Testing Bookmarks Collection Hacker Media Blogs, Forums, Magazines and Videos. Methodologies Penetration testing frameworks, standards and methodologies. OSINT Presentations, People, Organizations and Infrastructure.  Exploits an...

Microsoft remotely deleted Tor-based 'Sefnit Botnet' from more than 2 Million Systems

In October 2013,  Microsoft  adopted a silent, offensive method to tackle infection due to a Tor-based botnet malware called ' Sefnit '. In an effort to  takedown of the  Sefnit botnet  to protect windows users, Microsoft r emotely removes the older versions of installed Tor Browser software and infection from 2 Million systems, even without the knowledge of the system's owner. Last year in August, after Snowden revelations about the National Security Agency's ( NSA ) Spying programs, the Internet users were under fear of being spied. During the same time Tor Project leaders noticed almost 600% increase in the number of users over the anonymizing networks of Tor i.e. More than 600,000 users join Tor within few weeks. In September, researchers identified the major reason of increased Tor users i.e. A Tor-based botnet called ' Sefnit malware ', which was infecting millions of computers for click fraud and  bitcoin ...